Security Update Info: To position Luminate Online sites against clickjacking, this release continues logging to evaluate client use of iFrames with Luminate Online pages. Our recent PCI audit recommended these measures to prevent against clickjacking.

What is clickjacking? Clickjacking is when someone maliciously manipulates a website user's activity by hiding hyperlinks beneath legitimate buttons or other content. This can cause the user to take unintended action, putting their information at risk. For example, if you display your donation form on a Facebook page hosted in an iFrame, a malicious person could mock your form in their own iFrame and hijack the constituent's information when entered into their form.

Why is it a concern? If your organization displays Luminate Online pages within a frame or iframe, it's possible that hacker could abuse those frame pages.

What do I need to do? Any site that uses a Luminate Online-hosted page in a frame needs to be whitelisted in the SEC_CSP_FRAME_ANCESTORS_DOMAINS SDP. If you utilize frames to pull content from LO into LCMS, you will also need to whitelist your CMS domain.

How does the SDP work? The use of xFrames is meant to be for https > https and http > http. This means that putting secure donation forms on non-secure pages outside of Luminate Online will still leave you open to clickjacking. Here is how the SDP whitelisting works:
  • HTTPS framing HTTPS - supported out of the box
  • HTTPS framing HTTP - will not work, and browser will give the following error: Mixed Content: The page at '’ was loaded over HTTPS, but requested an insecure resource ‘’. This request has been blocked; the content must be served over HTTPS.
  • HTTP framing HTTP - supported out of the box
  • HTTP framing HTTPS - against PCI compliance

How do I whitelist my site domains that use Luminate Online-hosted pages in an iframe? Note: When this site setting is blank and has not been used before, the initial character limitation is 255 characters. If you need to whitelist domains in excess of 255 characters, please enter at least 30 characters in the text field and Save. This will raise the limit to 1000 characters.
  1. Select Setup > Site Options
  2. Click Go
  3. Search for the SEC_CSP_FRAME_ANCESTORS_DOMAINS option
  4. Enter a space-separated list of any site domain that uses Luminate Online-hosted pages in a frame. These domains will be able to embed content from this site. We have already whitelisted the following domains:
    • Facebook
    • Salesforce
    • Luminate site
What happens next? The Luminate team is continuing to monitor the use of Luminate Online in iFrames. In Luminate Online, you have the choice whether to display your information in an iFrame or the more secure xFrame. Blackbaud recommends the use of xFrames to ensure your information is secure. Blackbaud also recommends that you do not display secure content on a non-secure page to increase security further.
Where can I learn more? For more information on xFrames and frame ancestors, review:
To prevent any errors with frames loading, please ensure your domains are whitelisted by February 28th, 2017.  Blackbaud will be enforcing whitelist only domains’ use of xFrames on this date.